SCA on Owner users
Mangopay started communicating by email about SCA on Owners during February 2025. Your platform will be required to complete the necessary integrations, with specific deadlines communicated during the year.
If you have questions that aren’t address in the pages below, or in our dedicated FAQ, please get in touch with our teams via the Dashboard.
Mangopay is implementing strong customer authentication (SCA) on your platform’s users to enhance security and to comply with European regulations (PSD2)) as a regulated payment services provider (PSP) and electronic money institution (EMI).
Mangopay’s SCA solution allows your platform to protect users’ funds and payment activity via a Mangopay-hosted experience.
Strong customer authentication (SCA) is a form of multi-factor authentication (MFA, also 2FA), where a user authenticates using evidence of different categories (knowledge, possession, and inherence). SCA is mandated by European regulations (PSD2). The same regulations are behind 3DS authentication applied to card payments or alternative requirements for other payment methods.
Multi-factor or two-factor authentication (MFA or 2FA) is also widely used for security in software apps. For example, Mangopay’s Dashboard also uses MFA to authenticate your platform’s team members when they connect. The SCA feature described in these pages relates to end users of your platform.
Scope
Note – SCA applies to all Owner users
Mangopay’s SCA feature will only apply to users categorized as Owner, because these users are subject to Mangopay’s T&Cs and as such hold a Mangopay account.
Users categorized as Payers will not be affected by Mangopay’s SCA.
SCA is applicable to all existing users as well as new ones. Read more about enrolling existing users.
SCA requires the Owner user to authenticate with Mangopay directly as they are the Mangopay account holder.
For Natural users, enrollment of the OTP factor is available to integrate, requiring the individual’s phone number and email. The email is already required for Natural users. To simplify adoption, your users can provide their phone number during the SCA session – you don’t have to send it via the API.
For Legal users, enrollment of the OTP factor is fully available to integrate for Soletraders. The individual’s email must be provided via the API, in the LegalRepresentative.Email property, but the phone number can be entered by the individual during the SCA session.
Platforms should implement the new endpoints for the other types of Legal user (Business, Organization, Partnership). However, these user types will be exempted in the first instance until Mangopay provides the functionality to designate additional authorized individuals who can complete SCA on behalf of the entity.
Until then, if LegalPersonType is BUSINESS, PARTNERSHIP or ORGANIZATION, then the SCA-enabled user endpoints do not return the SCA redirection link.
What your platform needs to do
Your platform needs to integrate the new user endpoints to handle SCA in the following scenarios for Owner users.
The dedicated enrollment guides linked below provide a step-by-step walkthrough of each case:
| Action | Guide | |
|---|---|---|
1 | Enrollment of new Owners (Natural and Legal Soletraders) users using OTP authentication when you register them for the first time (at user creation) | |
2 | Enrollment of Owners (Natural and Legal Soletraders) users using OTP authentication when they transition from a Payer (on categorization) | |
3 | Enrollment of all existing Owners (Natural and Legal Soletraders) users in OTP authentication | |
4 | Re-enrollment of Owners (Natural and Legal Soletraders) users when they change the phone number or email. |
In all cases, to enroll the user your platform must redirect the individual to a Mangopay-hosted webpage. The redirection URL for the SCA session is returned by the Mangopay API in the response property PendingUserAction.RedirectUrl. Before redirecting, you need to define, encode, and append a returnUrl to which the session returns the user afterwards (whatever the outcome).
See the SCA session guide for details on this redirection process. Mangopay will use the same mechanism for all SCA-related features, both enrollment and authentication of planned features.
Best practice – Anticipate integration
Your platform will be required to complete additional integration during 2025 as Mangopay releases new SCA-related features.
More details about Mangopay’s planned features for SCA-controlled actions are listed in the table below.
Factors
Mangopay is providing the following authentication factors.
| Availability | Factor | Description | Type |
|---|---|---|---|
Available | Phone-based one-time passcode (OTP) | The user provides and authenticates (that is, enrolls) their device and then, to authenticate an action, receives an SMS OTP and provides it to Mangopay. | Possession |
Planned | Personal identification number (PIN) | The user defines a 6-digit PIN code and then, to authenticate an action, provides the PIN to Mangopay. | Knowledge |
Mangopay is delivering SCA via a unique session on a hosted web page. The URL will be returned on the relevant API calls for enrolling factors or authenticating actions: in the response property PendingUserAction.RedirectUrl – see SCA session for details.
The same system will be used for all authentication factors, both available and planned.
OTP
In one-time passcode (OTP) authentication, the SCA session provides the Owner user a screen where they can provide (or confirm) their phone number, request an OTP by SMS, and submit it.
Once the user requests the OTP, they have 5 minutes to enter it. The total SCA session times out after 10 minutes.
The individual can enter the phone number to be used for SMS OTP during the SCA session – you don’t have to provide it via the API but you can to pre-populate the SCA session.
If your platform has already added it to the Natural User (PhoneNumber) or Legal User (LegalRepresentative.PhoneNumber) object, then the value is pre-populated in the SCA session. The individual is asked to confirm or modify the data before continuing.
Note – SCA session data doesn’t update API
The phone number provided or confirmed by the user during the SCA session is not subsequently updated in the User API object.
Changing the PhoneNumber or LegalRepresentative.PhoneNumber data in the API object triggers SCA re-enrollment.
The SCA session allows the individual to re-send an OTP if they don’t receive it. And if they refresh the page at the dedicated link, they are still able to use the same session.
Testing
In Sandbox, you can use the PhoneNumber +33611111111 (or 0611111111 and FR) and the passcode 702100 to simulate a successful flow.
You can also test by using a real phone number to receive the SMS OTP.
Best practice – Explore using Postman collection
Mangopay’s Sandbox API Postman collection has the SCA endpoints setup ready for you to test the solution. For help getting started with Mangopay’s collection, see the dedicated guide.
PIN
The PIN code factor is still in development, but it will be managed via the same hosted session and RedirectUrl.
Actions requiring SCA
The regulations apply SCA to situations where a Owner user accesses or initiates certain payment activities, or to other situations considered at risk.
The table below lists the actions that relate to enrollment of the user and those that will be authenticated by SCA. As indicated, some are available to integrate. For others, the anticipated release date is given.
| Availability | Action | Description | Possible exemptions |
|---|---|---|---|
Available | Enrollment of existing | Existing users with the | None – this is enrollment. |
Available | Creation of a new | When a User with the | None – this is enrollment. |
Available | Transition of a User from | When a | None – this is enrollment. |
Available | Change of contact details | When an SCA-enrolled user changes their phone number or email they must re-enroll the new details. | None – this is re-enrollment. |
April 2025 | Registration of a Recipient (external bank or payment account) | When an Mangopay is releasing a new version of the Bank Account object called Recipients. Registering a Recipient will require SCA. As well as supporting SCA, Recipients will allow validation of account details, supporting faster and more reliable local and international payouts. | None. SCA on the Recipient registration means payout requests can be exempted as the bank account is considered a trusted beneficiary. |
April 2025 | Transfer from one | Transfers from one | Mangopay is developing its Transfers functionality to allow for technical or automated transfers as part of specific workflows. This will be done via a new body parameter |
April 2025 | View wallet balance | When an Owner user wishes to view their wallet balance, they may be required to authenticate. | SCA is applicable on first-time access and if more than 180 days have passed since the last wallet consultation event. |
April 2025 | View transaction history | When an Owner user wishes to see past transactions crediting or debiting their wallet, they may be required to authenticate. | SCA is applicable on first-time access, and if more than 180 days have passed since the last wallet consultation event (provided the transactions are not older than 90 days). |
SCA authentication will be delivered in the same way across all SCA-controlled actions: via a hosted web page returned in the response property PendingUserAction.RedirectUrl on the relevant API call. See SCA session for details on how to redirect a user for SCA.
Related resources
Was this page helpful?